Cool Solution - Custom LDAP ACLs

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.


This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.


First of all, install the package univention-custom-ldap-acls from the Cool Solutions repository via the command

univention-install univention-custom-ldap-acls

The package should create some new UCR variables. Check these with the following command:

ucr search --brief ldap/acls

You should see these variables:

ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid 
ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no 
ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups 
ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup 
ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes 
ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user 
ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount

Create extended attributes

After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes → LDAP ACLs

You will find the two custom attributes groups-modify and users-create. Make sure that they have the following settings:

First tab:

Unique name: <users-create or groups-modify> 
Short description: Create user

Second Tab:

Modules to be extended: "Container: Container"
Modules to be extended: "Container: Organizational Unit"

Third tab:

LDAP object class: univentionCustomACLReferences 
LDAP attribute: univentionCustomACLReferenceUserCreate
Remove object class if the attribute is removed: (check this box)

Fourth tab:

Ordering number: 1
Tab name: authorization

Last tab:

Syntax class: userDn
Multi value: (check this box)
Editable after creation: (check this box)

Editing container

The next step is to give the users of your choice the authorization over the users container in the LDAP directory module. Go to the LDAP directory and edit the container via right click → Edit and move to the tab authorization. Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing with the username of the user:

univention-ldapsearch uid=<username> | grep ^dn

The output should be something as the follows:

dn: uid=<username>,cn=users,dc=example,dc=com

Now you can copy the output, except for the "dn: ", into the text field in the Authorization tab and click on Save.

Create policies for users

The next step is to give the users of your choice the permission to access the Users and the Groups module after logging in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it “edit-user”. Choose “UDM - Users (udm-users)” as an allowed UMC operation and create another new entry in the same policy, where you choose “UDM - Groups (udm-groups)” as an allowed UMC operation. Save the settings.

Now the user should be able to access the Users and Groups module via the UMC.

Assigning permissions for user creation

To grant the user of your choice the permission to create a user, set the following UCR variables:

ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes"
ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"

You can find out about the group DN of your user by running

udm users/user list --filter uid=<username> | grep primaryGroup

Finally edit the container groups and temporary (you can find it below the container “univention”)of the LDAP directory. You can simply follow the instruction of the section “Editing container” again. Make sure the DN of your users is in the text field “editing user” and “editing groups”.

After that, execute the following command to restart your LDAP server:

systemctl restart slapd

Now the users of your choice will be able to create users or manage groups.

Further information

Further information about using UCR

This topic was automatically closed after 24 hours. New replies are no longer allowed.